Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Spoke & Hub VPN topology: Getting strange log msgs on hub site ASA 5520 trying to filter NAT'ed traffic from remote site PCs

I've got a Hub & Spoke VPN network set up with an ASA 5520 at the Hub/Headquarters location, and a 5505 at each of two remote "Spoke" sites, A & B. I wish to have all my Internet-destined traffic from PCs at the remote sites forced thru the tunnels back to the central ASA 5520 and NAT'ed there to go out to the world via my headquarters' main fiberoptic internet feed. I've got all the hub & spoke IPSec tunnels with remote-to-remote hairpin turn routing configs working, and the remote site PCs getting their raw Internet NAT'ed at the central site such that the remote site's internet connetions (DSL & cablemodems) are strictly carrying only the encrypted tunnel traffic back to headquarters and the remote site ASA 5505 units are not performing Internet-NAT for the PCs at those sites..... via help from this thread: https://supportforums.cisco.com/message/3224349#3224349

Now I wish to restrict the NAT at the central site for these remote sites such that all Internet-bound NAT'ed traffic from remote site PCs is blocked from going out anywhere into the world except for traffic to a tightly restricted set of Internet server addresses out there and also perhaps only on selected tcp ports and of course allow return traffic from those sites back to my remote sites' PCs.

Right now the VPN tunnels between HQ and Remote A & B all come up just fine, and I can ping and flow traffic between all 3 sites just fine, and when I put a dynamic NAT policy rule on the outside interface of my central ASA5520 for a remote site PC, it allows the remote site PC to have access to the allowed site, going out thru my central site's 20Mbps fiberoptic feed, but the 5520's log still shows connections being built from the remote PC to any site that's not explicitly allowed whenever I try to hit a site not allowed. The remote PC appears unable to connect to those unallowed sites, but seeing the log messages on the 5520 showing the connections being built anyway is quite concerning to me.

Here's an example log message when I try to hit CNN's website from the remote PC, which isn't supposed to be allowed in my test:

6Nov 18 201013:18:29REMOTESITE_B_PC1001251157.166.226.2680Built inbound TCP connection 8413 for Outside:REMOTESITE_B_PC100/1251 (REMOTESITE_B_PC100/1251) to Outside:157.166.226.26/80 (157.166.226.26/80)

Here's sanitized portions of the relevant ASA configs at HQ, and Remote B.  (Remote A is identical to Remote B's configs, just different ISP and internal lan ip addrs.... but I'm doing all my testing with Site B at the moment because I have its ASA5505 sitting on my desk right now connected to a laptop PC for testing and a separate internet feed from my main HQ's feed)

Is there a better way to filter the outbound NAT'ed traffic? Whenever I try to add any ACLs it seems to break the VPN tunnels, and the Dynamic NAT Policy seems to be the closest tool available to get what I need here, but shouldn't I see "Denied" messages in the 5520 log when I try to hit unallowed  addresses, instead of the ASA happily building connections?

HQ's ASA 5520 configs (all addrs sanitized, and only the relevant VPN stuff included):

========================================================

ASA Version 8.2(3)
!
hostname HQASA5520
domain-name hqdomain.blah
enable password ******** encrypted
passwd ******** encrypted
names

name 172.16.22.7 INTERNAL_WORKSTATION_PC7  (my management workstation)

name 172.16.1.2 Inside-Interface

name 172.16.0.0 Internal-Network

name 172.20.26.0 LAN-REMOTESITE_A
name 172.20.27.0 LAN-REMOTESITE_B
name 172.20.27.100 REMOTESITE_B_PC100  (remote B testing laptop at my desk)

name 1.1.1.2 Outside-Interface
name 99.99.99.101 OutsideIntf_REMOTESITE_A
name 222.222.222.202 OutsideIntf_REMOTESITE_B
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address Outside-Interface 255.255.255.0
!
interface GigabitEthernet0/1
nameif Inside
security-level 80
ip address Inside-Interface 255.255.0.0
!
!

same-security-traffic permit intra-interface

object-group network NAT_POOL_01
network-object host 1.1.1.100
network-object host 1.1.1.101
network-object host 1.1.1.102
network-object host 1.1.1.103
network-object host 1.1.1.104
network-object host 1.1.1.105
network-object host 1.1.1.106
network-object host 1.1.1.107
network-object host 1.1.1.108
network-object host 1.1.1.109
network-object host 1.1.1.110
network-object host 1.1.1.111
network-object host 1.1.1.112
network-object host 1.1.1.113
network-object host 1.1.1.114
network-object host 1.1.1.115
network-object host 1.1.1.116
network-object host 1.1.1.117
network-object host 1.1.1.118
network-object host 1.1.1.119
network-object host 1.1.1.120

access-list Outside_access_in extended deny ip any any

access-list Inside_access_in extended permit ip host INTERNAL_WORKSTATION_PC7 any
access-list Inside_access_in extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_A 255.255.255.0
access-list Inside_access_in extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_B 255.255.255.0
access-list Inside_access_in extended deny ip any any

access-list ROADWARRIOR_VPN_splitTunnelAcl standard permit Internal-Network 255.255.0.0

access-list Outside_cryptomap_REMOTESITE_A extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_A 255.255.255.0
access-list Outside_cryptomap_REMOTESITE_A extended permit ip LAN-REMOTESITE_B 255.255.255.0 LAN-REMOTESITE_A 255.255.255.0
access-list Outside_cryptomap_REMOTESITE_A extended permit ip any LAN-REMOTESITE_A 255.255.255.0

access-list Outside_cryptomap_REMOTESITE_B extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_B 255.255.255.0
access-list Outside_cryptomap_REMOTESITE_B extended permit ip LAN-REMOTESITE_A 255.255.255.0 LAN-REMOTESITE_B 255.255.255.0
access-list Outside_cryptomap_REMOTESITE_B extended permit ip any LAN-REMOTESITE_B 255.255.255.0

access-list Inside_nat0_outbound extended permit ip Internal-Network 255.255.0.0 192.168.2.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_A 255.255.255.0
access-list Inside_nat0_outbound extended permit ip Internal-Network 255.255.0.0 LAN-REMOTESITE_B 255.255.255.0
access-list Inside_nat0_outbound extended permit ip LAN-REMOTESITE_B 255.255.255.0 LAN-REMOTESITE_A 255.255.255.0
access-list Inside_nat0_outbound extended permit ip LAN-REMOTESITE_A 255.255.255.0 LAN-REMOTESITE_B 255.255.255.0
access-list Inside_nat0_outbound extended deny ip any any

access-list Outside_nat_outbound extended permit ip host REMOTESITE_B_PC100  101.102.103.0  255.255.255.0

ip local pool ROADWARRIOR_VPN_POOL_01 192.168.2.101-192.168.2.132 mask 255.255.255.0

global (Outside) 101 1.1.1.100-1.1.1.120 netmask 255.255.255.0

nat (Outside) 101 access-list Outside_nat_outbound

nat (Inside) 0 access-list Inside_nat0_outbound

nat (Inside) 101 INTERNAL_WORKSTATION_PC7 255.255.255.255


access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server IAS1 protocol radius
aaa-server IAS1 (Inside) host 172.16.6.100
timeout 5
key *****
aaa authentication ssh console LOCAL

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-

AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map Outside_map 26 match address Outside_cryptomap_REMOTESITE_A
crypto map Outside_map 26 set pfs group5
crypto map Outside_map 26 set peer 99.99.99.101
crypto map Outside_map 26 set transform-set ESP-AES-128-SHA
crypto map Outside_map 26 set phase1-mode aggressive group5

crypto map Outside_map 27 match address Outside_cryptomap_REMOTESITE_B
crypto map Outside_map 27 set pfs group5
crypto map Outside_map 27 set peer 222.222.222.202
crypto map Outside_map 27 set transform-set ESP-AES-128-SHA
crypto map Outside_map 27 set phase1-mode aggressive group5

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca server

crypto isakmp enable Outside
crypto isakmp enable Inside

crypto isakmp policy 20
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

crypto isakmp policy 30
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

crypto isakmp policy 50
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
!

group-policy ROADWARRIOR_VPN internal
group-policy ROADWARRIOR_VPN attributes
dns-server value 172.16.6.100 172.16.6.110
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ROADWARRIOR_VPN_splitTunnelAcl
default-domain value hqdomain.blah

group-policy SITE-to-SITE internal
group-policy SITE-to-SITE attributes
vpn-tunnel-protocol IPSec

tunnel-group ROADWARRIOR_VPN type remote-access
tunnel-group ROADWARRIOR_VPN general-attributes
address-pool ROADWARRIOR_VPN_POOL_01
authentication-server-group IAS1
default-group-policy ROADWARRIOR_VPN
tunnel-group ROADWARRIOR_VPN ipsec-attributes
pre-shared-key *****

tunnel-group 99.99.99.101 type ipsec-l2l
tunnel-group 99.99.99.101 general-attributes
default-group-policy SITE-to-SITE
tunnel-group 99.99.99.101 ipsec-attributes
pre-shared-key *****

tunnel-group 222.222.222.202 type ipsec-l2l
tunnel-group 222.222.222.202 general-attributes
default-group-policy SITE-to-SITE
tunnel-group 222.222.222.202 ipsec-attributes
pre-shared-key *****
!

REMOTE SITE B's ASA 5505 configs (all addrs sanitized, and only the relevant VPN stuff included):

========================================================

SA Version 8.2(3)
!
hostname ASA5505-REMOTE-B
domain-name hqdomain.blah

enable password ******** encrypted
passwd ******** encrypted

names

name 172.20.27.0 Internal-Network
name 172.20.27.100 REMOTESITE_B_PC100

name 172.20.26.0 LAN-REMOTESITE_A
name 172.16.0.0 LAN-HEADQUARTERS

!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
nameif inside
security-level 100
ip address 172.20.27.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 222.222.222.202 255.255.255.0
!

access-list outside_1_cryptomap extended permit ip Internal-Network 255.255.255.0 LAN-HEADQUARTERS 255.255.0.0
access-list outside_1_cryptomap extended permit ip Internal-Network 255.255.255.0 LAN-REMOTESITE_A 255.255.255.0
access-list outside_1_cryptomap extended permit ip Internal-Network 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip Internal-Network 255.255.255.0 LAN-HEADQUARTERS 255.255.0.0
access-list inside_nat0_outbound extended permit ip Internal-Network 255.255.255.0 LAN-REMOTESITE_A 255.255.255.0


icmp permit LAN-HEADQUARTERS 255.255.0.0 inside

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
route outside 0.0.0.0 0.0.0.0 222.222.222.1 1


crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.2
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set phase1-mode aggressive group5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

group-policy REMOTE_B_SITE-TO-SITE internal
group-policy REMOTE_B_SITE-TO-SITE attributes
vpn-filter none
vpn-tunnel-protocol IPSec
tunnel-group 1.1.1.2 type ipsec-l2l
tunnel-group 1.1.1.2 general-attributes
default-group-policy REMOTE_B_SITE-TO-SITE
tunnel-group 1.1.1.2 ipsec-attributes
pre-shared-key *****
!

1 REPLY
Cisco Employee

Re: Spoke & Hub VPN topology: Getting strange log msgs on hub si

Hi Neal,

Based on your config, you are PATing traffic from 172.20.27.100 destined to 101.102.103.0  255.255.255.0 to the outside interface IP address of the ASA 5520.

Just to clarify things out here. Only when the above situation is satisfied will the ASA create a translation and send the traffic out.

When you access CNN or any other server out on the internet which is not a part of the ACL "Outside_nat_outbound", the ASA will send the traffic out without creating a translation. So effectively, the pakcet will go out on the internet with a private IP address of 172.20.27.100. When the CNN (
or any other) server replies back to this proivate IP address, it will never reahc your ASA because private range of IPs are not routable on the internet.

So the fact is, though the ASA allows those connections, they will ever work because the ASA does not translate those IPs to its interface IP address. There is nothing to worry about.

Hope this clarifies things out!! Let me know if this is clear.

Cheers,

Prapanch

322
Views
0
Helpful
1
Replies
CreatePlease to create content